Defender TI analytics in Defender for Cloud Apps

RVC The key benefit DTI provides to MDCA is automatic enrichment of activity data with additional threat intelligence signals. For example, when an activity such as a risky IP login or malware file download is detected by MDCA, DTI automatically tags that activity with threat categories, geographic info, and other telemetry.

This enrichment happens by default within the Microsoft 365 Defender data pipelines that MDCA leverages. So no explicit configuration or data injection into MDCA is needed - the integration is handled behind the scenes. Of course MDCA can also take advantage of DTI data surfaced in solutions like Microsoft Sentinel through their bi-directional connection. But even without that, MDCA is continually enhanced by DTI to improve threat detection and response for cloud apps.